I have It running just fine using mocked objects in test kitchen and chef zero, but I’m running into an ACL problem when I try to spin it up on a real server.
This is the basic idea of my recipe code:
chef_vault_secret(“grafana”) do
action [:create_if_missing]
data_bag "secrets"
raw_data {“adminuser”=>“admin”, “adminpass”=>“not_random_password”}
admins [“alice”, “bob”, “carol”, “dave”, “eve”]
search "recipes:myorg-grafana::default"
end
It looks like my client is trying to access the users endpoint on the chef server for the first admin user in my array, but is getting denied:
I think I ran into something similar. I had things working fine with chef-provisioner using chef-zero but when I ported everything to my chef server it was failing.
I didn’t take time to dig into the cause but would love to know what’s needed perms wise to get it to work also.
According to what I remember, the client has to have read permission on all nodes and all users, and read/write permissions on the databag container to create it.
Edit: I’m unsure the web-ui let you do this, you’ll have to give the perms with knife-acl
This is the knife-acl stuff that I did to ensure that my my test chef server had the databag and that my test node’s client object had access to the databag.
knife data bag create secrets
knife group create secrets_writers
knife acl add group secrets_writers data secrets create,read,update,delete
knife group add client grafana-chefvault-billtest secrets_writers
I have no idea how to grant the client object access to the users endpoint.
